Policy | Security | Investigation

October 2010

October 24, 2010

Computer interfaces to measure and record human movement are becoming more common. These recorded measurements can be analyzed forensically to help identify people.

Microsoft is about to launch Kinect, a technology for detecting and interpreting the movement of humans in a defined space, like a living room. Initially Microsoft will apply the technology to its Xbox game console, so that players can interact by moving their bodies rather than moving a joystick or a wii-mote. With time, however, Microsoft envisions Kinect gathering human input in many computing environments.

Even though Kinect may today not be intended for biometrics, it will be capturing biometrically measurable information about the movement of people. To one degree or another, the way an individual moves (walks, swings her arms and so on) is unique. If Kinect is capturing and measuring movements, it is inevitable that the measurements will be recorded.

If records exist, then it is only a matter of time before they become the subject of an investigation into who was interacting with a certain computer at a certain place and time. Cell phones and toll road tags were not intended to track the whereabouts of users. But they collect a lot of data about the location of people at particular times, and that data became irresistible to divorce lawyers and criminal investigators, who, using the power of law, were able to demand access to the data.

Imagine an interactive display in a shopping mall. As patrons walk by, they can interact with the display by dancing, jumping or waving. But eventually there will be an investigation into whether Joey walked by that display (on his way allegedly to rob a store), and authorities will access the data for analysis.

Other sources of measurements for human movement are the accelerometers in iPhones. They have been used to measure, for example, the gait of the person holding an iPhone. If those measurements can be captured, someone can write an app to record them. Then, contrary to the intention of the app writer, some investigator will lawfully tap those records in e-discovery to find out who was using the iPhone.

Behavior biometric measurements are not, by themselves, highly reliable identifiers of individuals. However, the measurements can be forensically meaningful. When combined with other indicia of identity (such as eyewitness identification), biometric measurements can help to pinpoint someone.

Behavioral biometric records will be a new privacy battleground in coming years.

October 18, 2010

Electronic commercial law (E-SIGN) is liberal as to what can serve as a legal signature. Essentially, a signature is just a symbol adopted with the intent to approve or authenticate a transaction or a record. The symbol can be as simple as the characters of a name at the bottom of an email.

But e-commerce practitioners have long fussed over how secure a signature should be. They feared that if the signature were just a typed name in an email, then the purported signer could repudiate* the signature by alleging that someone stole the password to his email account, spoofed his email address or tampered with the email record after the email was sent. Although supporting such an allegation in the context of real commercial relationships is often hard to do, the risk of the allegation still causes many lawyers and other professionals to insist that documents be signed by fax or hand-delivered paper.

But technology has changed. Webcams have become very common. They are on all new laptops, and now even smartphones like the iPhone have cameras that face the user. These webcams make video signatures easy, like this:

A webcam signature could be attached to an email that also attaches the document being signed (in the example above, the document is a non-disclosure agreement with Acme Corp.). By itself, email provides a pretty good system of records, controls and audit trails to establish from which account the email came, when it was sent and whether the record of it was tampered with. But the webcam signature adds an additional layer of reliability. It shows the signer moving his lips and speaking the words of intent to sign.

Yes, a webcam signature can be forged. But forgery is not easy amid the details of an actual commercial relationship. The forger must coordinate a fabrication of audio and video in a way that fits with the other facts of the real situation.

A webcam signature is emotionally very compelling because it involves recorded, physical activity. It’s hard to say I did not soberly, knowingly, voluntarily intend to sign the NDA.

Note one of the controls I used in the webcam signature example above. I spoke the date and time. The date and time in the video could synch up with the time stamp on the email to make a potential forger’s work all the more difficult.

Mr. Wright is the founding author of The Law of Electronic Commerce, a treatise originally published in 1991.

*Signatures are sometimes needed for proving that a particular individual approved a transaction. Experience teaches that signatures can be useful to connect an individual to a legal act. Some criminal prosecutions have failed on account of the prosecutor's inability to prove that the defendant signed a document. For example, in United States v. Larm, 824 F.2d 780 (9th Cir. 1987), an allergist was acquitted of Medicare fraud concerning claim forms he did not personally sign. In United States v. Brown, 763 F.2d 984 (8th Cir.), cert. denied, 474 U.S. 905 (1985), the conviction of a pharmacist was reversed on some counts because the government could not link him, through a signature or initials, to claims submitted to the government for brand-name drugs when generic drugs were dispensed.

IT Administrators

Twitter

Custom Professional Training

Local ARMA Quote

"The presentation by Mr. Wright, sponsored by Messaging Architects, was engaging and provocative. He delivered insights that challenged some of our views on retaining e-mail, and definitely shattered others." - Terry Mergele, CRM, Program Chair, San Antonio ARMA.

Blogger

Attorney Benjamin Wright is the author of technology law books, including The Law of Electronic Commerce (Aspen Publishers) and Business Law and Computer Security (SANS). A featured speaker at industry conferences and professional meetings, Wright teaches e-discovery, data security and cyber investigations law at the SANS Institute. Mr. Wright advises clients on digital law and forensic investigations. He helps tech professional firms write engagement contracts, and otherwise manage their legal liability and right to be paid. Such firms include QSAs, auditors, blockchain analysts, penetration testers and forensic investigators. His telephone is 1.214.403.6642. Wright's e-mail is ben_wright at compuserve dot com (put "BLOG" in subject line to distinguish yourself from spam). Mr. Wright graduated from Georgetown University Law Center 1984.

SANS Quote

"The best professional trainer in the country on these issues is Ben Wright." --Stephen H. Chapman, Principal and CEO, Security Advisers, LLC, and student in Mr. Wright's SANS legal training

Important!

No public statement by Mr. Wright (blog, comment, book, article, video, speech, tweet) is legal advice for any particular situation. If you need legal advice, you should consult your lawyer.

The purpose of this blog -- and the purpose of all of Mr. Wright's public statements -- are public education and discussion, and not the delivery of legal, technical or other professional advice. If you need advice or complete information, this blog is not the place to get it. Mr. Wright's public statements are offered as-is, with no warranty of accuracy or reliability. Mr. Wright sometimes revises his published ideas. If you use the ideas, you do so at your own risk.

Mr. Wright's public statements on blogs and the like are not intended to advertise or solicit legal services.

Mr. Wright's contributions to blogs, web courses and the like constitute part of the online update service for the book The Law of Electronic Commerce. Originally released 1991, and revised continually since then, the book is a reference for lawyers, published by Wolters Kluwer Law.

The only person responsible for Mr. Wright's words is Mr. Wright.

Mr. Wright has received money from some organizations he mentions online, such as Netmail/Messaging Architects, SANS Institute and LabMD.

Mr. Wright strives to comply with all applicable laws. He does not have and never has had intention to infringe the rights of anyone. If any person has any information, suspicion or belief that Mr. Wright has done anything illegal or unethical, he asks that person promptly to notify him at 1.214.403.6642, Dallas, TX. Also, please state publicly on Mr. Wright's blogs or pages that he is wrong. Promptness helps mitigate damage.

Any person accessing this blog agrees not to use data from it (or from any other public activity or statement by Mr. Wright) in a way that is adverse to Mr. Wright's interests.

Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly so agree. Interaction with Mr. Wright through public media does not create an attorney-client relationship. Exchanging private messages with Mr. Wright does not, by itself, form an attorney-client relationship.

Privacy/Security Vision: Some people provide Mr. Wright private information. Mr. Wright strives to treat such information reasonably according to the circumstances. People should have no more than reasonable expectations about information security. It is unreasonable to expect that the offices, computers, cell phones, brief cases, filing cabinets and online or other services used by Mr. Wright are very secure.